For Example: You may have a policy for the Print/Fax Protocol with a rule that is looking for a file name.  In that policy you have an exception for a keyword.  When testing this with a file containing the keyword, you still get an incident. 

It is not possible to have a policy using MetaData, such as a filename, with an exception in the content of the file when using Print/Fax.

This is because Print/Fax is session based; it sends one page at a time to detection engine. Before sending a page to detection engine, it sends metadata first, and then first data pages. As evident, the metadata request does not contain any data.

Since the policy blocks all print with a keyword exception, the first metadata request always matches the rule (since it does not contain any data to match the exception) and therefore the block pop-up is seen. If there is no response rule created, then this would just be a false positive incident.